Member Avatar for Omni

Having some issues with securing my home FTP server running FileZilla FTP Server. Basically I was running through the guide on Life hackers guide on how to setup a personal home web server Click Here. Regarding the section of locking down directory access from HTTP I did the following.

  1. Edited the CONF file of the Apache to AllowOverride All

http://i965.photobucket.com/albums/ae140/omnispectralstudios/CONF_zpsa0d5caba.png

  1. Created the encryption text file using command line.

http://i965.photobucket.com/albums/ae140/omnispectralstudios/cmdline_zps8a17a833.png
http://i965.photobucket.com/albums/ae140/omnispectralstudios/passfile_zpsdc0c938e.png

  1. Created the .htaccess file using notepad and placed in the directory that was live on the HTTP end

http://i965.photobucket.com/albums/ae140/omnispectralstudios/Directory_zpsf6730d59.png

But when I access my web server through HTTP I get no password prompt and just the standard directory listing. I see the .htaccess file extension as well (which I'm not sure is correct or not).

http://i965.photobucket.com/albums/ae140/omnispectralstudios/Index_zps49764205.png

Sooo what exactly am I doing wrong here? The instructions are pretty straight forward so I doubt I missed a step. The thing is that I really need to lock down these directories with as much security as possible. Additional advice from seasoned FTP vets are very welcome.

Edited by Omni because: no url tagging
  • 2 Contributors
  • 5 Replies
  • 619 Views
  • 20 Hours Discussion Span
  • Latest Post Latest Post by cereal
Member Avatar for cereal

Hi,

the .htaccess file is used for HTTP connections, not for FTP access. The article in LH talks about HTTP Authentication: when you open an URL it appears a prompt that asks for username and password, those specified in .htpasswd. If Apache is properly configured then the HTTP access will be limited to the DocumentRoot of the server, but an FTP user will have complete access unless you don't jail it to a specific path (i.e. directory).

In order to secure your FTP server follow these instructions:

There is an example that explain how to add users to Filezilla Server, those users will be able to access your server. Disable also anonymous access, i.e. remove the anonymous user.

Edited by cereal
Member Avatar for Omni

"the .htaccess file is used for HTTP connections"

But this is an HTTP connection. Im navigating to these directories by web browser, not by an FTP client. The FTP end is already moderated by user accounts.

Apache is hosting the web server and using my WAN address as the FTP directory address on HTTP. I've delegated the directory shown in the above picture in Apache as the Documentroot so thats also working properly. As far as I can tell it everything is configured - minus the HTAccess not working.

The guide you have given me is for setting up the FTP server for FTP connections using a client, which I have already done. I'm more concerned on the HTTP side of things.

Member Avatar for cereal

Having some issues with securing my home FTP server running FileZilla FTP Server.

Ok, sorry I was confused by the above.

The name of the file must be .htaccess not pass.htaccess. This is a filename which starts by dot. Otherwise it will not be considered by Apache.

Instead of using .htaccess that can be edited by a user accessing through FTP, you can apply these rules in server or virtual host config, in the Directory directive:

<Directory "E:/FTP Data/Optimo Movement">
    AllowOverride All
    AuthType Basic
    AuthName "Restricted Area"
    AuthBasicProvider file
    AuthUserFile "C:/Document and Settings/Patrick/MyDocuments/ftp-pass.txt"
    Require valid-user
</Directory>

The AuthGroupFile is not mandatory, so, if you don't use a file to identify groups, it can be removed.

When you have finished reload Apache and it should work fine.

Member Avatar for Omni

Thanks that worked! I didnt realize you could not give the .htaccess a file name.

I'm actually more interested in your alternative since I agree that I do not like how you can see the .htaccess file on the FTP listing.

When you say directory directive on the virtual host config, are you referring to the CONF file in the apache folder here? Click Here

Edited by Omni
Member Avatar for cereal

I do not like how you can see the .htaccess file on the FTP listing.

The .htaccess files are usually available to the clients so they can apply some rules to their websites, as url rewrites, or restricted areas. But if you apply an authentication method for your users, then it's better to apply it in the Directory context.

are you referring to the CONF file in the apache folder here?

In your case probably yes, I'm not used to Windows setups. In Linux environments the Apache configuration files are usually splitted in:

  • few server config files: httpd.conf, apache2.conf and modules files
  • and many virtual host config files, one per each domain

the firsts are general for all the websites, the others are specific to each website. When Apache loads the configuration will merge all these files. The different areas of this flow is identified in the Apache documentation by the context directive:

In fact, if you look at the Apache core documentation, you will see for each directive the context in which this can be applied. Check the previous post link to the Directory directive, for example.

Note: In your screenshot I see:

<Directory />
    # rules
</Directory>

Keep in mind that / stands for the root of the system, in Apache this is called ServerRoot, you should define a DocumentRoot and setup the Directory to point the same path, something like:

<VirtualHost *:80>

    # other rules

    DocumentRoot "E:/FTP Data/Optimo Movement"

    <Directory "E:/FTP Data/Optimo Movement">
        AllowOverride All
        AuthType Basic
        AuthName "Restricted Area"
        AuthBasicProvider file
        AuthUserFile "C:/Document and Settings/Patrick/MyDocuments/ftp-pass.txt"
        Require valid-user
    </Directory>
</VirtualHost>

I see the DocumentRoot is already defined, so change the Directory directive, otherwise who opens the website can access the entire filesystem.

Note a part: in the virtual host files you can also setup more than one domain, for example domain.tld and sub domains mail.domain.tld, images.domain.tld. Or as in Windows you can use the main configuration file where you setup many <VirtualHost *:80> blocks. It's a flexible solution.

Edited by cereal
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.